http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5645
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|Undefined |3.3.0
------- Additional Comments From [EMAIL PROTECTED] 2007-09-11 12:29 -------
Ok, I've done what I had in mind. Self tests pass ok, it works fine from
a command line and under amavisd ([EMAIL PROTECTED], almost all plugins
enabled).
I haven't tested with user-supplied rules and with spamd (besides self-test).
I intentionally avoided blind-untainting during parsing of a config file,
so that certain variables (e.g. rules, loadable module names, ...) now
remain tainted until the routine which knows what to expect and what is safe
to untaint. Letting tainted data propagate to a final consumer as much as
is practical, is a general policy to be followed here - is my suggestion.
This may smoke out some additional Perl taint bugs regarding the
global variables $1, $2, ... which sometimes get mysteriously tainted.
Localizing these variables is a good practice anyway (avoiding horrible
Perl practice to let subroutines use global temporary variables).
I already added local($1,$2,...) where I stumbled across; it is
possible that some more will be needed or desired.
If you come across some new taint problems in scenarios I haven't
tried, please let me know (or better still: fix them please).
Since 3.3.0 is not so close it seems, I believe this gives
plenty of time to possibly do some additional modifications
in the spirit of this change, and squash possible bugs.
Thanks for bearing with me! My goal is to gradually make
SpamAssassin more robust and easier to troubleshoot.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
